The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Webmail :: Disable the red security token notification?

Discussion in 'User Experience' started by brt, Jul 15, 2015.

  1. brt

    brt Well-Known Member

    Joined:
    Jul 9, 2015
    Messages:
    46
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    MN
    cPanel Access Level:
    Root Administrator
    Is there any way to completely get rid of the ugly "The security token is missing from your request." notification that's so often on the webmail login page?

    It clutters up a nice, clean login page.
     

    Attached Files:

  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Have you tried closing all browser windows and then go back to Webmail and login properly, setting a new token?
     
  3. brt

    brt Well-Known Member

    Joined:
    Jul 9, 2015
    Messages:
    46
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    MN
    cPanel Access Level:
    Root Administrator
    I'm not asking for myself. I constantly see it on clients' computers, and it really seems like a pretty pointless notification.
    What is it actually telling the average user? "Hey, sign back in, please." Except... they can see that without the notification.
     
  4. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    Sometimes I type the webmail URL and it shows the token error, I login then it takes me back to the login screen saying "you have logged out"

    Haven't bothered to report this bug since it's hard to give instructions to "sometimes you type the URL and this message shows up" and anyways Cpanel doesn't bother to fix any bugs that are reported.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    When do you see it exactly? Having a proper security token every time you login should be important.

    Opening multiple windows on the same account for one example might cause this sort of issue.
     
  6. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    I am able to reproduce it like this:

    1. In google chrome login to webmail
    2. Keep the browser open, but close the webmail tab
    3. Visit the webmail login link (www.domain.com/webmail or https://fqdn.of.server:2096)

    In this case there is no issue to login again and view the webmail, but the error The security token is missing from your request is shown.
     
    brt likes this.
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Do you experience the same behavior if you clear your browser cache before attempting to visit the webmail URL again? The steps you provided indicate security tokens are working as designed. Per our documentation (for users visiting this thread who are unfamiliar with them):

    cPanel & WHM includes security tokens to help combat XSRF attacks. The system inserts unique security tokens into the URL for a single login session. Any requests that a user makes without the appropriate token produce an error and result in a request for re-authentication. This action effectively stops XSRF attacks because the malicious URL will not contain the appropriate token.

    Thank you.
     
  8. brt

    brt Well-Known Member

    Joined:
    Jul 9, 2015
    Messages:
    46
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    MN
    cPanel Access Level:
    Root Administrator
    Ok, and that's great, but let's remove the red notice because it's pointless. If someone hits a login screen, this is 2015; they know their session has expired, or for whatever reason it's asking to re-login again.

    The problem isn't that they're somehow losing the token mid-session, but if you come back the next day [when you would expect to log in again] you don't just get a login form, you get an error as well.

    Throwing an error on the screen rather than just a login form is the problem here, as it implies there's a problem.
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sounds to me like you've bookmarked the page once you got to it (and it has the session ID in the URL).

    Try editing your bookmark to be, just: http://domain.com/webmail

    If you came back the next day and just typed in domain.com/webmail you should be getting a new session ID as well, and not seeing the error.
     
  10. brt

    brt Well-Known Member

    Joined:
    Jul 9, 2015
    Messages:
    46
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    MN
    cPanel Access Level:
    Root Administrator
    No -- see post #6 above to reproduce. I don't want to play the "I know what I'm doing" card because I hate it when people act like that but I'm not just some random end user; we host hundreds of websites for our clients and get asked about this quite a lot and I don't understand why when you come to the proper URL, even if you didn't actually sign out and have a previous active session open, why you get a session -error- message rather than just a login page.
     
    #10 brt, Aug 21, 2015
    Last edited: Aug 21, 2015
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've got no clue what I'm doing but...
    That's a new session.
     
  12. brt

    brt Well-Known Member

    Joined:
    Jul 9, 2015
    Messages:
    46
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    MN
    cPanel Access Level:
    Root Administrator
    Yes, it is........ and I still insist that this doesn't warrant a big red error message, or any notification, for that matter. Just the regular login prompt.

    Is this really that hard to understand? A red warning message implies that something is amiss, and it confuses the technically challenged. They simply need to log in again. Nothing that warrants a big red error message.
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    No, I'm following along just fine, I think, thanks. ;)

    I think that's the idea. Not the latter, the former. Something is amiss.

    Proper browser sessions are important, more now than ever before.

    It may be ugly, but, you/your clients get the point by it's ugliness, I think. Your session is important and should be secured. More Info:

    Session (computer science) - Wikipedia
     
  14. brt

    brt Well-Known Member

    Joined:
    Jul 9, 2015
    Messages:
    46
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    MN
    cPanel Access Level:
    Root Administrator
    This is still not getting through, for some reason...

    I understand the session. I think that should stay as it is. If someone logs in, reads their email, closes the tab, and then even one minute later types domain.tld/webmail, yes, it should ask them to log in again. I don't have any issue with that so far.

    I don't think there should be a red error message, however, as there is no problem. They simply need to log in again. So just display the login page as if there is no "missing session".
     
  15. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    It is.
     
  16. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    I have not tried to clear the cache and cookies but I would assume that if you did there would be no red error message.

    Perhaps the message should be more user-friendly such as "Your session has expired. Please login again"
     
  17. brt

    brt Well-Known Member

    Joined:
    Jul 9, 2015
    Messages:
    46
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    MN
    cPanel Access Level:
    Root Administrator
    The question is: Why is any message required here at all? If I go to Facebook, or Google, or most any other site and I'm not logged in, I don't get a message about my session expiring; I get a login page, plain and simple.

    Keep the session expiration, keep all of the security aspects of this as they are. Simply ditch the error message and give a standard login page as normal.
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page